What does a vulnerability verification specialist do?

Chris Sienko: Hello and welcome to another episode of the Cyber Work with infosec podcast. Each week I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of infosec professionals as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's guest is Lauren McCaslin, the vulnerability verification team lead threat research center at WhiteHat Security. One of the focus points of the cyber work podcast is to introduce our listeners to interesting job titles that they may not have considered before when considering a career in cybersecurity. So Lauren is going to tell us about vulnerability verification specialist as a career opportunity and what it's all about. Lauren McCaslin is a vulnerability verification specialist with application security leader WhiteHat Security. She's based in the Houston, Texas threat research center where she analyzes findings produced by automated AppSec scanners and determines whether or not company's assets are vulnerable to attack. Lauren thank you for joining us today.

Lauren McCaslin: Thank you for having me.

Chris: So I'd like to start the show like we always do by getting a little bit of a background on our guests. How, when did you first start getting interested in computers and security? Is that something that you are always interested in or did it come later in life?

Lauren: So I grew up in the generation of MySpace and [inaudible 00:01:24] and Facebook and all of that. So I definitely had tech in my life as I grew up. So it's always been an interest. I think that really it became a focus when the media started doing more on hacking attacks, different things that were just being more publicized. So I actually use that as a jump off to sort of seek out an opportunity at WhiteHat and here I am.

Chris: Do you remember any particular hacker event in the news that especially sort of excited you when you were coming up?

Lauren: I think it was just the volume of information leakage and stuff like that coming out and data security, all of that

Chris: There was this sort of sense that this is a pervasive issue that you could jump in and sort of help with.

Lauren: Exactly.

[crosstalk]

Chris: Sorry about that. What did you say?

Lauren: I was just saying it makes you feel like you're doing something good for the world.

Chris: Right. Yes. Absolutely, yeah. We've had several guests who decided at one point to be on the side of the good guys and the few that had the choice to possibly be back.

Lauren: Right.

Chris: So for those who aren't familiar with the job title, what exactly is a vulnerability verifications specialist? What does your position entail?

Lauren: Right. Well, like you mentioned at the beginning, we do have an automated scanner. So here at WhiteHat that means we're going to be verifying our automated scanner findings, just whether or not they're legitimate threats to our clients.

Chris: Okay. So sort of walk me through an ordinary day as a vulnerability verification specialist. Where do you start your day? What time of day are you on task? What are the points of highest intensity in the day? Things like that.

Lauren: Well, we do have flexible scheduling, but a common day we do a nine to five style workload. We'll analyze any threats that come in from our automated scanner, when necessary we'll write up customer concepts to kind of explain to our clients how we're able to exploit the vulnerability, give them steps to reproduce it themselves so that we can empower them to correct the issue. We also do some one on one discussions with our clients, so they're able to reach out to us directly and ask us questions about the vulnerabilities, ask us about remediation plans, things like that. And then we also do retesting. So if our clients believe that they've put a fixed in, they can request for us to go in and retest the finding manually to see whether or not the vulnerability still remains. And if it does, we'll update them on exactly how it's changed, why it's so vulnerable, all of that.

Chris: Okay. Do you have sort of a flowchart when a vulnerability comes in from one of your clients... I start with this, then I look at this or is it different from each with each attack?

Lauren: We have some guides we do that our team follows, but not every vulnerability is the same. So it's definitely going to be however the application is behaving. So we just use the guidance baseline and then kind of build from there.

Chris: Okay. Do you have certain job tasks that you perform pretty much every day and what are your favorite aspects of the job?

Lauren: Yeah, I think that my favorite part of the job is definitely getting that one on one interaction with the clients. It's really rewarding when you feel like you're helping them understand. And our contacts are not always technical so I really enjoy kind of doing the high level explanation and it's super rewarding whenever they come back and say, "Oh, thank you. I understand now. Now I can go back to my dev team and explain to them." So that's probably my favorite aspect. The highest intensity I would say is probably trying to get through a blacklist. Some people might not find that very thrilling, but I definitely do. I think it's one of the more high intensity aspects because we're sitting there and we know that we might be able to break in and get some cross site scripting, but they're filtering several different things that we would try to use. So just trying to find that one injection that will work is really, really fun.

Chris: So that's sort of has that feeling of a mystery to be solved?

Lauren: Yeah, it's like a capture the flag.

Chris: Okay. Okay. All right. So what sets of skills or experiences or certifications or professional recognitions or combination of all of them, should our listeners be working toward if they want to move into a position like this vulnerability verifications specialist?

Lauren: I mean, I think that the basic is a really good understanding of JavaScript and HTML. I think that if you have that good baseline and you have a passion for learning, you have a really good start. I would think that they could go and do some self study on OWASP and use some of those references. Just Google different web application attacks. As far as certifications go, some companies do list them as requirements so it can be helpful but I would say, CEH or certified ethical hacker is one that I think is helpful. GWEB does a GIAC cert. OWSE is a new one from offensive security that I think is really interesting. So I think that would probably be a good one to seek out.

Chris: What was your sort of educational track? Did you take computer science in college? Did you do cert studies? Did you self teach?

Lauren: Yeah. So I think that I definitely have a nontraditional background, don't have a technical degree. I came into this field and I'm lucky that WhiteHat does have a very good training program. So we focus on learning in depth about all of the different web attacks. And I think that just that and combination with having, like I said, that passion and that interest for learning more about it, it's led me to where I am now.

Chris: Okay. What is one thing that listeners might think is important to learn to be a vulnerability verification specialist but actually isn't? What are some of potential career shifters shouldn't bother with? Are there certain certs or certain skills that they think they need to learn but you don't really ever use them in your position?

Lauren: I think touching back on my own journey, you don't have to have a technical degree. I think that's a common misconception. I think it is beneficial because like I said, it gives you that good baseline but it's not necessary. Same thing with the certifications. If you're thinking about switching jobs, you don't need to go off and get every technical cert that you can think of. I think the best things that you can do are the self study. There's a lot of different options online nowadays. You can do bootcamps for learning more about code. So there's just so many resources that you can use just by Googling.

Chris: Okay. So in general, vulnerability verification specialists as sort of a career, where do they sort of stand in a corporate hierarchy? Are they, I know you work for WhiteHat, but are they normally employed by a company or do they work freelance? Is it largely an in house kind of thing or how does it work?

Lauren: There are so many different levels. At WhiteHat it is an entry level position, but at other companies, I know that it's a little bit higher up in the hierarchy. And you don't have to work at a company if you want to do this style of work. There's bug bounty programs out there. So if you do find that this is interesting for you and you want to earn a little income, you can go seek out bug bounty programs and that's a good way to earn a little extra money.

Chris: Have you done that before or?

Lauren: I've looked into them. I've never actually submitted one, but yeah.

Chris: Cool. So in the interest of not making this all silver linings with no dark cloud, what are the least interesting or most repetitive parts of the job, not necessarily at your job, but like vulnerability verification specialist in general? What are the parts of the job that wake you up at 2:00 AM or bug you on weekends or whatever?

Lauren: I think that's something that is kind of a struggle is imparting the importance of application security in general. I think a lot of companies really rely heavily on the defensive side and they're not necessarily considering the offensive side. So I think that really if you want to have strong application security, you need to have the full spectrum. You need to have that good security posture and you have to be checking out multiple levels.

Chris: Okay. So what would you recommend that most companies do that they're not doing right now? What sort of implementations would you suggest?

Lauren: I would say just have some scanning. Do that offensive. Don't just rely on your firewall and-

Chris: Yeah. Don't wait until they're already in.

Lauren: Yeah, exactly.

Chris: Okay. So we already talked a little bit about certs. What was the new one that you said that's coming up? What was that?

Lauren: OWSE. The same people who do OCP, which is highly regarded. I think that their new one is for advanced web attacks and exploitation. So really interesting. I'm definitely going to, myself, look into that a bit more, but I think that that one is probably going to be really cool.

Chris: Do you think certain certs are on the rise and certain ones are becoming sort of less desirable to HR departments and so forth?

Lauren: I think in general, certs are a really good way to get your foot in the door because companies see it and they say, "Oh, this person might have really good experience." But sometimes when you talk to people who have the cert, you're like maybe unimpressed at where they're at as compared to somebody who just maybe has that job experience. So you really have to weigh it out whether or not that's going to be that thing that propels you to the next level.

Chris: Okay. So for listeners who might want to transition to this type of work, say they're maybe in a help desk position or maybe not even in tech at all, but they feel stuck in their current position, what's one action that they could begin today that would get them one step closer to a career as vulnerability verifications specialist?

Lauren: I think it depends on where they're at. If they are in a coding position and they have that strong background already, I would say that the next step would be to look up some like Google capture the flags or there's some XSS challenges that you can Google online. Like Yamagata is one that we use here. Code Academy is good for that. People who don't have that code background, W3Schools. There's a lot of online resources. It just depends on what level of technical expertise you're starting at.

Chris: Okay. So I want to circle back to another thing you mentioned before about that you enjoy the communication with the clients and sort of explaining to them what happened and what you caught and so forth. So sort of tell me a little bit about the communication toolbox that a vulnerability verification specialist needs to have. You're talking to them one on one, but I imagine you're also... are you preparing reports? Are you preparing charts or graphs or anything like that? Or how do you get the point across?

Lauren: So in our world we have a communication platform called Sentinel. So our clients will reach out to us, we have an ask a question feature, so it's all written correspondence. We do have another team that handles the verbal correspondence. But for us, all of our information is housed within our Sentinel platforms. So the clients already have all that information, we already have all that information. So when we're going back and forth with them, we're generally talking about a very specific vulnerability. So we talk to developers, we talked to SecOps we talk to just the full spectrum of clients and it really ranges on what we're talking about from minute technical details to just like overall understanding of our methodology and why something is vulnerable in general. So it's a wide range.

Chris: Okay. So it sounds like there's also a premium on people who are able to take high level concepts and explain them to people who might not otherwise have tech backgrounds, but also being able to be on par with people who do have high tech backgrounds. You're sort of working on two sides of the fence.

Lauren: Yeah, I definitely think so. I think having those strong communication skills is helpful. But that's something again, that WhiteHat sort of helps people on their journey with a lot of coaching. We have training programs specifically related to talking to clients, so we try really hard to make sure that we're well-equipped.

Chris: Okay. Tell me a little bit about... I saw on your LinkedIn page and in your bio that you are a member of a group called Women of WhiteHat. We know that women in tech and cybersecurity fields are underrepresented and they often face barriers to entry and retention. So what are some of the strategies that this group is using to attract women to WhiteHat, foster their growth in the organization and move toward gender parody at all level in the organization?

Lauren: So the Women of WhiteHat group actually started as just a chat channel because we do have three locations. So we have our San Jose office, we have our Houston office, and we also have an office in Belfast, Northern Ireland. So that's how we initially started. And it was just sort of a way to encourage, support, offer mentorship. And then it sort of expanded recently and we actually had an event at our headquarters in San Jose where we had some guest speakers come in to talk about career growth, personal development, work life balance, all of those amazing things.

So we also got a chance to go to the Women in Silicon Valley Tech Conference, which was amazing. We heard some really powerful speakers. I think that just having a group is a good first step. We're working on making it more formalized, getting some chairs and having... our office locations have chapters. So we're definitely on our journey there, but I think that, that's a really good step in the right direction to kind of showing women that we are a diverse company where you seek that out and we want to promote inclusion as best we can.

Chris: And I assume there's sort of mentoring with veteran people and newcomers and so forth and...

Lauren: Yeah, absolutely.

Chris: So how can we make the tech industry understand that more women in tech ultimately makes the entire industry stronger and more capable of solving problems in new and innovative ways?

Lauren: I think that it goes back to really making sure that your company knows the data points. It's statistically proven that diverse teams perform better. So I think if you're at a company that maybe doesn't prioritize diversity inclusion, speak up. Say something about it. Gather some statistics yourself and show that to them. Make a case for it. Try to work with your HR department to get something in place to try to take that first step to get some more diverse candidates. There's a lot of different things that you can do, but I think the first step is say something about it.

Chris: Okay. So what tips would you give to women entering the world of security? What are some of the pernicious pitfalls that you've learned to sidestep over the years and what recommendations would you give to organizations to make their corporate culture more welcoming to a diverse workspace?

Lauren: So I think the advice that I would give is don't be afraid to ask questions. I know that when I first started, because I didn't have that technical background, sometimes I shied away from asking questions when I had them and I would try to go research them myself. I think that that was something that I didn't need to do. I should have just spoken up, not been afraid of the imposter syndrome in me. So I think that that's a huge part of it. Just be brave, ask the questions because you're never going to get that information that you need if you don't ask the question. I think the pitfalls that I dealt with, assuming the worst. That's something that you definitely have to learn is stop assuming the worst when you're communicating with people. Always try to assume the best intentions and if there's any issues that you run into, don't be afraid to kind of pull that person aside and work with them one on one to try to find out what you can do differently.

So communicate better or more effectively. So I think that those things are important. I think that what I would recommend to companies is to build diversity into your hiring process. So I was mentioning reach out to, if you're hiring for entry level positions, reach out to nearby colleges that have that diversity profile that you're looking for. Or if you're looking for a little bit of a higher level, maybe professional groups in the area, same thing. Those that mimic your diversity profile and that will help you get a more diverse candidate pool. I think the other part of it that people don't necessarily consider as much is to make sure that you also have a diverse interview panel. It's not just one side because the biases are unconscious. So you got to make sure that you have diversity at every step.

Chris: Mm-hmm (affirmative). Okay. Thank you. So moving back to the sort of position itself, there's something I just thought of, so what are the sort of next steps after... if you're a vulnerability verification specialist, what's the next sort of step up the ladder? Where do you start and then where can this take you on the way up in the company?

Lauren: Right. So here we do have, we're actually building it out right now, our application security expert program. So we really want people to be well rounded. So we want our employees to have an opportunity to work at various different positions at application security. So we also offer a static analysis testing. So we would prefer for our team to maybe jump off from the DAS side or dynamic security side to go into that static side and really learn both aspects. And then from there maybe they can help us write rules for our automated scanning. So be more on the coding side of things. So there's a lot of opportunity for growth and development within WhiteHat to really get that well-rounded applications security background.

Chris: Okay. Yeah. So how does that next step up the expert level? How does that, I guess, differ as a position from vulnerability specialist? How do your job roles and job responsibilities change at that point?

Lauren: Well, we each handle very specific aspects of [crosstalk 00:20:55]. So the static team specifically works on that, DAS team specifically works on dynamic. Then we also have the manual testing team that does the more... they go into an application, they're looking for vulnerabilities. They don't have that scanner saying, "Hey, here's a potential." So that would help if you want to go into consulting position where you are doing the full spectrum of testing. That gives you that huge experience to really jump off into that next level.

Chris: Okay. So what are, as we wrap up today, what are some of the exciting projects or tasks you're currently working on at WhiteHat?

Lauren: Well, right now we're working on automated scanning of API end point, so that's pretty cool project. It's going to start beta in July, so just a couple of weeks here. So that's going to be really exciting. It's an under protected area compared to sites and a lot of companies manage over 300 APIs but they don't do any security testing. So I think that it's definitely an important aspect and we're really excited for it.

Chris: Okay. And are there any trends or developments on the horizon in the coming years for vulnerabilities and security that you're looking forward to or dreading?

Lauren: I don't think so.

Chris: Okay. It's just steady as she goes?

Lauren: I think it's all a journey. We're all working together towards that journey and it's kind of, we'll see what comes and we'll adapt, we'll iterate. So it's all part of the fun of being an applications security.

Chris: Can't live in the future, it's not here yet.

Lauren: Exactly.

Chris: So if listeners want to know more about Lauren McCaslin or WhiteHat where can they go?

Lauren: We do have a WhiteHat Twitter and we also have a blog for thought leadership.

Chris: Great. Can you give me the address?

Lauren: The www.whiteHatsec.com

Chris: Whitehatsec.com?

Lauren: Yep.

Chris: Okay. Very good. Lauren, thank you so much for joining us today.

Lauren: Thank you.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your Workday, all of our videos are also available as audio podcasts. Just search Cyber Work with infosec in your favorite podcast catcher of choice. To see the current promotional offers available to podcast listeners and to learn more about our infosec pro live bootcamps, infosec skills on demand training library and infosec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description. Thanks once again to Lauren McCaslin and thank you all for watching and listening. We'll speak to you next week.